HP Sure Start
5
Technical white paper | HP Sure Start
Additionally, for HP Intel models, HP Sure Start checks the integrity of the system ash BIOS boot block every 15 minutes
while the system is running.
2
Machine-unique data integrity
The HP ESC and BIOS work together to provide advanced protection of factory-congured critical variables unique to
each machine that are intended to be constant over the life of any specic platform. In the factory, a backup copy of this
variable data is saved in the HP ESC nonvolatile memory store. The backup is made available to the HP Sure Start BIOS
component on a read-only basis to perform integrity checking of the data on every boot. If any setting in the shared
ash is dierent from the factory settings, the HP Sure Start BIOS components will automatically restore the data in the
System Flash from the backup copy provided by the HP ESC.
Descriptor region
For HP Intel models, HP Sure Start protects the descriptor region of the system ash. Unique to Intel architecture, the
descriptor region contains critical conguration parameters that are sampled by the Intel Core™ logic at reset and used
thereafter to congure the Core logic. The descriptor region also includes partitioning information for the system ash
that is used by the Intel Core logic to determine where the BIOS region resides within the ash and therefore where their
CPU retrieves code for execution from reset. HP Sure Start monitors the integrity of this region and recovers it to the
intended conguration in the event of tampering or corruption.
Network controller protection
In addition, for HP Intel models, HP Sure Start protects the network controller (NIC) settings contained with the system
ash. Some HP customers have use cases that require legitimate changes to factory congured NIC settings. Therefore,
HP Sure Start does not prevent changes to NIC settings by default. Instead, HP Sure Start provides a feature that, when
enabled, warns the user that NIC settings have changed. In addition, HP Sure Start provides a method to restore the
NIC settings to factory values. Protected settings include the MAC address, the Pre-boot Execution Environment (PXE)
settings, and the remote initial program load (RPL). This restoration is possible via a read-only backup copy protected by
the HP ESC.
BIOS setting protection
As previously described, HP Sure Start veries the integrity and authenticity of the HP BIOS code. Since this code is
static after it is created by HP, digital signatures can be used to conrm both attributes of the code. The dynamic and
user-congurable nature of BIOS settings, however, create additional challenges to protecting those settings. Digital
signatures cannot be generated by HP and used by the HP Sure Start ESC hardware to verify those settings.
HP Sure Start BIOS setting protection provides the capability to congure the system so the HP ESC hardware is used to
back up and check the integrity of all the BIOS settings preferred by the user.
When this feature is enabled on the platform, all policy settings used by BIOS are subsequently backed up and an
integrity check is performed on each boot to ensure that none of the BIOS policy settings have been modied. If a
change is detected, the system uses the backup from the HP Sure Start–protected storage to automatically revert to the
user-dened setting.
The HP Sure Start BIOS setting protection feature generates events to the HP Sure Start ESC hardware when an attempt
to modify the BIOS settings is detected. The event is logged in the HP Sure Start audit log, and the local user will receive a
notication from BIOS during boot.
HP Sure Start–protected storage
Protected storage rooted in the HP Endpoint Security Controller hardware provides the highest level of protection for
BIOS/rmware data and settings protected by HP Sure Start. HP Sure Start–protected storage is designed to provide
condentiality, integrity, and tamper detection even if an attacker disassembles the system and establishes a direct
connection to the nonvolatile storage device on the circuit board.
Data integrity
The integrity of the dynamic data stored in nonvolatile memory by rmware and used to control the state of various
2
HP Sure Start with Dynamic Protection is available on HP Elite products equipped with 6th generation Intel Core processors and higher.